Merge pull request #302416 from v-thepet/app14

v-ccolin · web-flow · commit d387b66b21a6 · 2025-09-01T16:25:39.000+01:00
Freshness: Azure App Service 14
diff --git a/articles/app-service/configure-authentication-provider-google.md b/articles/app-service/configure-authentication-provider-google.md
@@ -3,7 +3,7 @@ title: Configure Google Authentication
 description: Learn how to configure Google authentication as an identity provider for your App Service or Azure Functions app.
 ms.assetid: 2b2f9abf-9120-4aac-ac5b-4a268d9b6e2b
 ms.topic: how-to
-ms.date: 03/29/2021
+ms.date: 07/10/2025
 ms.custom: fasttrack-edit, AppServiceIdentity
 author: cephalin
 ms.author: cephalin
@@ -20,32 +20,38 @@ To complete the procedure, you must have a Google account that has a verified em
 
 ## <a name="register"> </a>Register your application with Google
 
-1. Follow the Google documentation at [Sign In with Google for Web - Setup](https://developers.google.com/identity/gsi/web/guides/fedcm-migration) to create a client ID and client secret. You don't need to make any code changes. Use the following information:
-    - For **Authorized JavaScript Origins**, use `https://<app-name>.azurewebsites.net` with the name of your app in *\<app-name>*.
-    - For **Authorized Redirect URI**, use `https://<app-name>.azurewebsites.net/.auth/login/google/callback`.
-1. Copy the **App ID** and the **App Secret** values.
+1. Follow the Google documentation at [Get your Google API client ID](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid) to create a client ID and client secret. You don't need to make any code changes.
+   - For **Authorized JavaScript Origins**, use `https://<app-name>.azurewebsites.net`, replacing `<app-name>` with the name of your app.
+   - For **Authorized Redirect URI**, use `https://<app-name>.azurewebsites.net/.auth/login/google/callback`.
+1. Make a note of the **App ID** and the **App Secret** values to use in the Azure app configuration.
 
-    > [!IMPORTANT]
-    > The **App Secret** value is an important security credential. Don't share this secret with anyone or distribute it within a client application.
+   > [!IMPORTANT]
+   > The **App Secret** value is an important security credential. Don't share this secret with anyone or distribute it within a client application.
 
 ## <a name="secrets"> </a>Add Google information to your application
 
-1. Sign in to the [Azure portal] and go to your app.
-1. Select **Authentication** on the left menu. Select **Add identity provider**.
-1. Select **Google** in the identity provider dropdown. Paste in the **App ID** and **App Secret** values that you obtained previously.
+1. On the [Azure portal] page for your app, select **Authentication** under **Settings** in the left navigation menu.
 
-    The secret is stored as a slot-sticky [application setting](./configure-common.md#configure-app-settings) named `GOOGLE_PROVIDER_AUTHENTICATION_SECRET`. You can later update that setting to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault.
+1. On the **Authentication** page, select **Add identity provider**, or select **Add provider** in the **Identity provider** section.
 
-1. If this is the first identity provider configured for the application, you're also prompted with an **App Service authentication settings** section. Otherwise, you can move to the next step.
-    
-    The **App Service authentication settings** values determine how your application responds to unauthenticated requests. The default selections will redirect all requests to sign in with this new provider. You can customize this behavior now or adjust these settings later from the main **Authentication** screen by choosing **Edit** next to **Authentication settings**. To learn more about these options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
+1. On the **Add an identity provider** page, select **Google** in the identity provider dropdown.
+
+1. Enter the **App ID** and **App Secret** values you obtained previously.
+
+1. If this is the first identity provider for the application, the **App Service authentication settings** section appears with settings such as how your application responds to unauthenticated requests. The default selections redirect all requests to sign in with the new provider.
+
+   If you already configured an identity provider for the app, this section doesn't appear. You can customize the settings later if necessary.
 
 1. Select **Add**.
 
-> [!NOTE]
-> For adding scope: You can define what permissions your application has in the provider's registration portal. The app can request scopes at the time of sign-in, which use these permissions.
+On the **Authentication** page, the **Google** provider now appears in the **Identity provider** section. You can edit the provider settings by selecting the pencil icon under **Edit**.
 
-You're now ready to use Google for authentication in your app. The provider is listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.
+The **Authentication settings** section shows settings such as how the application responds to unauthenticated requests. You can edit these settings by selecting **Edit** next to **Authentication settings**. To learn more about the options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
+
+The application secret is stored as a slot-sticky [application setting](configure-common.md#configure-app-settings) named `GOOGLE_PROVIDER_AUTHENTICATION_SECRET`. You can see this setting on the **App Settings** tab of your app's **Environment variables** page in the portal. If you want to manage the secret in Azure Key Vault, you can update the setting to use [Key Vault references](app-service-key-vault-references.md).
+
+> [!NOTE]
+> To add scopes, define the permissions your application has in the provider's registration portal. The app can request scopes that use these permissions at sign-in time.
 
 ## Related content
 
diff --git a/articles/app-service/configure-authentication-provider-openid-connect.md b/articles/app-service/configure-authentication-provider-openid-connect.md
@@ -2,7 +2,7 @@
 title: Configure an OpenID Connect Provider
 description: Learn how to configure an OpenID Connect provider as an identity provider for your App Service or Azure Functions app.
 ms.topic: how-to
-ms.date: 04/02/2025
+ms.date: 07/10/2025
 ms.reviewer: mahender
 ms.custom: AppServiceIdentity
 author: cephalin
@@ -11,66 +11,75 @@ ms.author: cephalin
 ms.service: azure-app-service
 ---
 
-# Configure your App Service or Azure Functions app to sign in by using an OpenID Connect provider
+# Configure your App Service or Azure Functions app to use an OpenID Connect provider
 
 [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
 
-This article shows you how to configure Azure App Service or Azure Functions to use a custom authentication provider that adheres to the [OpenID Connect (OIDC) specification](https://openid.net/connect/). OIDC is an industry standard that many identity providers (IDPs) use. You don't need to understand the details of the specification for your app to use an OIDC identity provider.
+This article shows you how to configure Azure App Service or Azure Functions to use a custom authentication provider that adheres to the [OpenID Connect (OIDC) specification](https://openid.net/connect/). OIDC is an industry standard that many identity providers use. You don't need to understand the details of the specification to use an OIDC identity provider for your app.
 
-You can configure your app to use one or more OIDC providers. Each provider must have a unique alphanumeric name in the configuration. Only one provider can serve as the default redirect target.
+You can configure your app to use one or more OIDC providers. You must give each OIDC provider a unique friendly name in the app configuration. Only one provider can serve as the default redirect target.
 
-## <a name="register"> </a>Register your application with the identity provider
+## <a name="register"> </a>Register your app with the OIDC identity provider
 
-Your provider requires you to register the details of your application with it. One of these steps involves specifying a redirect URI that has the form `<app-url>/.auth/login/<provider-name>/callback`. Each identity provider should provide more instructions on how to complete the steps. The `<provider-name>` value refers to the friendly name that you give to the OpenID provider name in Azure.
+Your provider requires you to register your application by specifying a redirect URI in the form `<app-url>/.auth/login/<provider-name>/callback`. In the redirect URI, replace `<app-url>` with your app URL and `<provider-name>` with the friendly name you're giving the OpenID provider in Azure.
 
 > [!NOTE]
-> Some providers might require extra steps for their configuration and for using the values that they provide. For example, Apple provides a private key that isn't itself used as the OIDC client secret. You use it to create a JSON Web Token (JWT). You use the web token as the secret that you provide in your app configuration. For more information, see [Creating a client secret](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens).
+> The OpenID provider name can't contain a hyphen `-`, because an App Service application setting is created based on this name, and application settings don't support hyphens. You can use an underscore `_` instead.
 
-You need to collect a *client ID* and a *client secret* for your application. The client secret is an important security credential. Don't share this secret with anyone or distribute it in a client application.
+When you register your app, you need to collect a *client ID* and a *client secret* for your application. Make a note of these values to use in the Azure app configuration.
 
 > [!NOTE]
-> You only need to provide a client secret to the configuration if you would like to acquire access tokens for the user through interactive login flow using the authorization code flow. If this is not your case, collecting a secret is not required.
+> - The client secret value is an important security credential. Don't share this secret with anyone or distribute it within a client application.
+> - Your app must provide the client secret if you want users to acquire access tokens using the interactive authorization code flow. If you don't want to acquire access tokens, you don't need to use a secret.
 
-You also need the OIDC metadata for the provider. This metadata is often exposed in a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), which is the provider's issuer URL suffixed with `/.well-known/openid-configuration`. Get this configuration URL.
+You also need the provider's OIDC metadata. This metadata is often exposed in a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) that you can get at the path formed by appending `/.well-known/openid-configuration` to the provider's issuer URL.
 
-If you can't use a configuration metadata document, get the following values separately:
+If you can't access a configuration metadata document, get the following values separately:
 
-- The issuer URL (sometimes shown as `issuer`)
-- The [OAuth 2.0 authorization endpoint](https://tools.ietf.org/html/rfc6749#section-3.1) (sometimes shown as `authorization_endpoint`)
-- The [OAuth 2.0 token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) (sometimes shown as `token_endpoint`)
-- The URL of the [OAuth 2.0 JSON Web Key set](https://tools.ietf.org/html/rfc8414#section-2) document (sometimes shown as `jwks_uri`)
+- The issuer URL, sometimes shown as `issuer`.
+- The [OAuth 2.0 authorization endpoint](https://tools.ietf.org/html/rfc6749#section-3.1), sometimes shown as `authorization_endpoint`.
+- The [OAuth 2.0 token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2), sometimes shown as `token_endpoint`.
+- The URL of the [OAuth 2.0 JSON Web Key set](https://tools.ietf.org/html/rfc8414#section-2) document, sometimes shown as `jwks_uri`.
+
+Each identity provider should provide instructions on how to complete the registration steps. Some providers might require extra steps for their configuration or for using the values that they provide. For example, Apple provides a private key that you use to create a JSON Web Token (JWT), which you enter as the secret in your app configuration. For more information, see [Creating a client secret](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens).
 
 ## <a name="configure"> </a>Add provider information to your application
 
-To add provider information for your OpenID Connect provider, follow these steps.
+To configure the OpenID Connect provider in Azure, follow these steps:
+
+1. On the [Azure portal](https://portal.azure.com) page for your app, select **Authentication** under **Settings** in the left navigation menu.
 
-1. Sign in to the [Azure portal] and go to your app.
+1. On the **Authentication** page, select **Add identity provider**, or select **Add provider** in the **Identity provider** section.
 
-1. On the left menu, select **Settings** > **Authentication**. Then select **Add identity provider**.
+1. On the **Add an identity provider** page, select **OpenID Connect** as the provider.
 
-1. For **Identity provider**, select **OpenID Connect**.
+1. For **OpenID provider name**, enter the friendly name you chose for your OIDC provider.
 
-1. For **OpenID provider name**, provide the unique alphanumeric name that you selected earlier.
+1. Under **OpenID Connect provider configuration**, if you have a metadata document from the identity provider, select **Document URL** for **Metadata entry**.
 
-1. If you have the URL for the metadata document from the identity provider, provide that value for **Metadata URL**.
+   If you don't have a metadata document, select **Enter metadata**, and enter each URL from the identity provider in the appropriate field.
 
-   Otherwise, select **Provide endpoints separately**. Put each URL from the identity provider in the appropriate field.
+1. Under **App registration**, provide the values you collected earlier for **Client ID** and **Client secret**.
 
-1. Provide the values that you collected earlier for **Client ID**. If the **Client secret** was also collected, provide it as part of the configuration process.
+1. If this is the first identity provider for the application, the **App Service authentication settings** section appears with settings such as how your application responds to unauthenticated requests. The default selections redirect all requests to sign in with the new provider.
 
-1. Specify an application setting name for your client secret. Your client secret is stored as an app setting to ensure that secrets are stored in a secure fashion. If you want to manage the secret in Azure Key vault, update that setting later to use [Azure Key Vault references](./app-service-key-vault-references.md).
+   If you already configured an identity provider for the app, this section doesn't appear. You can customize the settings later if necessary.
 
 1. Select **Add** to finish setting up the identity provider.
 
-> [!NOTE]
-> The OpenID provider name can't contain a hyphen (-) because an app setting is created based on this name. The app setting doesn't support hyphens. Use an underscore (_) instead.  
->
-> It also requires that the `aud` scope in your token be the same as the **Client Id** as configured above. It is currently not possible to configure the allowed audiences for this provider at the moment.
+On the **Authentication** page, **\<oidc_friendly_name>(custom provider)** now appears in the **Identity provider** section. You can edit the provider's settings by selecting its pencil icon under **Edit**.
+
+The **Authentication settings** section shows settings such as how the application responds to unauthenticated requests. You can edit these settings by selecting **Edit** next to **Authentication settings**. To learn more about the options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
+
+The application secret is stored as a slot-sticky [application setting](configure-common.md#configure-app-settings) named `<oidc_friendly_name>_AUTHENTICATION_SECRET`. You can see the setting on the **App Settings** tab of your app's **Environment variables** page in the portal. If you want to manage the secret in Azure Key Vault, you can edit the setting to use [Key Vault references](app-service-key-vault-references.md).
+
+>[!NOTE]
+>To add scopes, define the permissions your application has in the provider's registration portal. The app can request scopes that use these permissions at sign-in time.
 >
-> Azure requires `openid`, `profile`, and `email` scopes. Make sure that you configure your app registration in your ID provider with at least these scopes.
+>- Azure requires `openid`, `profile`, and `email` scopes. Make sure that you configure your app registration in your identity provider with at least these scopes.
+>- The `aud` scope must be the same as the configured **Client Id**. You can't configure the allowed audiences for this provider.
 
 ## <a name="related-content"> </a>Related content
 
 [!INCLUDE [app-service-mobile-related-content-get-started-users](../../includes/app-service-mobile-related-content-get-started-users.md)]
 
-[Azure portal]: https://portal.azure.com
diff --git a/includes/app-service-mobile-selector-authentication.md b/includes/app-service-mobile-selector-authentication.md
@@ -2,13 +2,14 @@
 author: conceptdev
 ms.service: app-service-mobile
 ms.topic: include
-ms.date: 05/21/2024
+ms.date: 07/08/2025
 ms.author: crdun
 ---
 > [!div class="op_single_selector"]
 > * [Microsoft Entra](../articles/app-service/configure-authentication-provider-aad.md)
 > * [Facebook](../articles/app-service/configure-authentication-provider-facebook.md)
 > * [Google](../articles/app-service/configure-authentication-provider-google.md)
+> * [GitHub](../articles/app-service/configure-authentication-provider-github.md)
 > * [X](../articles/app-service/configure-authentication-provider-twitter.md)
 > * [OpenID Connect provider](../articles/app-service/configure-authentication-provider-openid-connect.md)
 > * [Sign in with Apple (preview)](../articles/app-service/configure-authentication-provider-apple.md)
